Signing your git contributions/emails/etc…. with personal SSL certificates

This is a simple checklist on how to ask for a personal SSL certificate, which will allow to sign your git contribs or your emails. The procedure is described for macOSX platform, but can be easily adapted to other platforms.

To generate a the personal certificate, you need to ( (french) documentation is available  https://wiki.inria.fr/support/Demander_un_certificat_personnel)

  • open your web browser at  https://www.digicert.com/sso 
  • select Inria as Identity provider
  • the next page will be pre-filled with your personal information,
    • select Premium as product
    • select the Validity period
    • click on Request certificate
  • on MACOSX, the certificate is stored into your Keychain

At this stage, you should already be able to sign all your emails, then using the macOSX native Mail application.

If you want to use the certificate on another platform (eg IOS) or use it to sign your git contributions, you need to export this certificate from your keychain.

Some information is available at:

The sequence is:

  • launch Keychain Access.app
  • select  My Certificates in bottom left menu Category
  • on the right box, you should see your name and a Key from www.digicert.com entry
  • select this key, and export it in PKCS12 format (.p12 extension)

To use the certificate with git (and then sign your contributions):

$ brew install gnupg

  • import the certificate in the gnupg keyring and get your certificate id
$ gpgsm --import my_certificate.p12
$ gpgsm --list-keys
/Users/jls/.gnupg/pubring.kbx
-----------------------------
ID: 0x1EXXXA79
S/N: 0BEA14B3DD22C0A32C7C1140C624985B
Issuer: /CN=TERENA Personal CA 3/O=TERENA/L=Amsterdam/ST=Noord-Holland/C=NL
Subject: /CN=Jean-Luc SZPYRKA/O=Institut National de Recherche en Informatique et en Automatique/L=Rocquencourt/C=FR
etc...
$ git config --global user.signingkey 1EXXXA79
$ git config --global gpg.x509.program smimsign
$ git config --global pgp.format x509

That’s all folks !

P.S.: another way is to use the Inria’s helpdesk to request a personal certificate (https://helpdesk.inria.fr/categories/128/submit) and then import it into all your keyrings. This exercise is left to the reader for long winter evenings.

Leave a Reply

Your email address will not be published. Required fields are marked *